CN117201232A - High-performance IPSec VPN method - Google Patents
High-performance IPSec VPN method Download PDFInfo
- Publication number
- CN117201232A CN117201232A CN202311146752.4A CN202311146752A CN117201232A CN 117201232 A CN117201232 A CN 117201232A CN 202311146752 A CN202311146752 A CN 202311146752A CN 117201232 A CN117201232 A CN 117201232A
- Authority
- CN
- China
- Prior art keywords
- data packet
- ipsec vpn
- encryption
- performance
- ipsec
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 23
- 238000004891 communication Methods 0.000 claims abstract description 18
- 230000007246 mechanism Effects 0.000 claims abstract description 5
- 238000012545 processing Methods 0.000 claims description 4
- 230000005540 biological transmission Effects 0.000 description 5
- 238000011161 development Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a high-performance IPSec VPN method, which relates to the technical field of Internet communication and comprises the following steps: step one, a business machine communicates with the opposite side to send packets, and triggers an IPSec VPN negotiation mechanism; step two, an IKE module running in the operating system generates a negotiation data packet and carries out negotiation communication with the opposite IPSec VPN; step three, generating a working key after the negotiation is completed and transmitting the working key to the encryption network card; step four, the encryption network card encrypts the plaintext data sent by the service machine and sends out packets; step five, decrypting and sending the encrypted data packet by using the working key after receiving the encrypted data packet by the opposite IPSec VPN; and step six, completing one communication when the opposite service machine receives the plaintext service data packet. The invention improves the traditional IPSec VPN realization mode, utilizes a high-performance encryption and decryption chip and an MPE chip to unload the IPSec VPN encryption stream into a card for realization, skips kernel forwarding and realizes high-performance IPSec in a lower cost mode.
Description
Technical Field
The invention relates to the technical field of internet communication, in particular to a high-performance IPSec VPN method.
Background
IPsec VPN is a VPN technology for implementing remote access by using IPsec protocol, which is fully called Internet Protocol Security, is a security standard framework defined by Internet Engineering Task Force (IETF), provides security communication channels for two private networks on the public network, and ensures connection security through encryption channels—provides private data packet service between two public gateways. The IPSEC protocol is imported for two reasons, one is the middle of the original TCP/IP system, no security-based design is included, any person can analyze all communication data as long as the line can be built in, the IPSEC introduces a complete security mechanism comprising encryption, authentication and data tamper-proof functions, and the other reason is that because the Internet rapidly develops, the access is more convenient, a plurality of clients hope to utilize the Internet bandwidth to realize the interconnection of the different-place network, and the IPSEC protocol can utilize Internet routable addresses to package the IP addresses of the internal network through the encapsulation technology to realize the interconnection of the different-place network.
The traditional IPSec VPN is generally realized by using a linux open source kernel component, but the kernel part of a general linux operating system has limited forwarding performance on ip data packets, and the high-performance IPSec VPN is difficult to realize; another high-performance IPSec VPN is implemented by using a data plane development kit (DPDK, data Plane Development Kit), but this approach has a high technical threshold and a high cost of early development.
Disclosure of Invention
The invention provides a high-performance IPSec VPN method to solve the problems in the background technology.
In order to solve the technical problems, the invention adopts the following technical scheme:
a high performance IPSec VPN method comprising the steps of:
step one, a business machine communicates with the opposite side to send packets, and triggers an IPSec VPN negotiation mechanism;
step two, an IKE module running in the operating system generates a negotiation data packet and carries out negotiation communication with the opposite IPSec VPN;
step three, generating a working key after the negotiation is completed and transmitting the working key to the encryption network card;
step four, the encryption network card encrypts the plaintext data sent by the service machine and sends out packets;
step five, decrypting and sending the encrypted data packet by using the working key after receiving the encrypted data packet by the opposite IPSec VPN;
and step six, completing one communication when the opposite service machine receives the plaintext service data packet.
The technical scheme of the invention is further improved as follows: the IPSec VPN (tunnel mode) is divided into an IKE stage and an ESP stage according to the form of the data packet, wherein the IKE stage is mainly used for key negotiation of two devices, and the ESP stage is used for carrying out encrypted communication on the data packet by using the negotiated key.
The technical scheme of the invention is further improved as follows: the IKE stage does not influence the traffic data flow, the ESP stage is closely related to the integral throughput rate of IPSec, the encryption and decryption rate of the password equipment and the forwarding performance of the network data packet directly influence the throughput rate of IPSec, the password equipment is integrated into the network card equipment, the data packet is directly encrypted and decrypted by utilizing a high-performance encryption and decryption algorithm of the password chip, and the data packet is directly forwarded from the network card to the target machine after the operation is completed.
The technical scheme of the invention is further improved as follows: only the IKE stage needs to be interfered by an operating system, and other business data stream encryption and decryption are directly completed by the network card.
The technical scheme of the invention is further improved as follows: the third step further comprises the following steps: and the high-performance encryption and decryption algorithm of the password chip is utilized to directly encrypt and decrypt the data packet, and the data packet is directly forwarded from the network card to the target machine after the operation is finished, so that redundant protocol stack processing of an operating system is omitted.
The technical scheme of the invention is further improved as follows: the sixth step further comprises the following steps: after receiving the plaintext data packet, the encryption and decryption and unpacking of the data packet can be realized only by passing through the encryption network card, and all operations are realized only in the same hardware component without external data circulation.
By adopting the technical scheme, compared with the prior art, the invention has the following technical progress:
1. the invention provides a high-performance IPSec VPN method, which is improved aiming at the traditional IPSec VPN realization mode, and utilizes a high-performance encryption and decryption chip and an MPE chip to unload an IPSec VPN encryption stream into a card for realization, skip kernel forwarding and realize high-performance IPSec in a lower cost mode.
2. The invention provides a high-performance IPSec VPN method, which integrates password equipment into network card equipment, directly encrypts and decrypts data packets by utilizing a high-performance encryption and decryption algorithm of a password chip, directly forwards the data packets from the network card to a target machine after the operation is finished, omits redundant protocol stack processing of an operating system and greatly improves IPSec forwarding performance.
3. The invention provides a high-performance IPSec VPN method, in the whole process of the method, only the IKE stage needs to be interfered by an operating system, and other business data stream encryption and decryption are directly completed by a network card, so that the transmission efficiency is greatly improved.
4. The invention provides a high-performance IPSec VPN method, which can realize encryption and decryption of data packets and unpacking of the data packets only by passing through an encryption network card after a plaintext data packet is received, and all operations are realized in the same hardware component without external data circulation, so that the efficiency is higher, and the overall throughput performance of the IPSec VPN is greatly improved.
Drawings
FIG. 1 is a flow chart of an IPSec VPN implementation method of the present invention;
FIG. 2 is a block diagram of a packet flow according to the present invention;
fig. 3 is a block diagram of a conventional IPSec VPN data flow.
Detailed Description
The invention is further illustrated by the following examples:
example 1
As shown in fig. 1-2, the present invention provides a high-performance IPSec VPN method comprising the steps of:
step one, a business machine communicates with the opposite side to send packets, and triggers an IPSec VPN negotiation mechanism;
step two, an IKE module running in the operating system generates a negotiation data packet and carries out negotiation communication with the opposite IPSec VPN;
step three, generating a working key after the negotiation is completed and transmitting the working key to the encryption network card;
step four, the encryption network card encrypts the plaintext data sent by the service machine and sends out the encrypted plaintext data, the service machine is a mobile telephone device which is specially used for service contact and information transmission, and is also called as an interphone or a two-way radio communication device, and the device is a device for communication through radio signals and can realize conversation and data transmission in different distances;
step five, after receiving the ciphertext data packet, the opposite IPSec VPN decrypts and sends out by utilizing a working key, wherein the key is a parameter which is input in an algorithm for converting plaintext into ciphertext or converting ciphertext into plaintext, and the key is divided into a symmetric key and an asymmetric key, and the symmetric key is encrypted, namely the symmetric key is encrypted or a session key encryption algorithm, namely a sender and a receiver of information use the same key to encrypt and decrypt data, and an asymmetric key encryption system, namely public key encryption, needs to use different keys to respectively complete encryption and decryption operations, one public issue is a public key, and the other secret is saved by a user, namely a private key;
and step six, completing one communication when the opposite service machine receives the plaintext service data packet, wherein the method is improved aiming at the traditional IPSec VPN realization mode, and the high-performance IPSec VPN encryption stream is unloaded into the card to be realized by utilizing the high-performance encryption and decryption chip and the MPE chip, and the kernel forwarding is skipped, so that the high-performance IPSec is realized in a lower cost mode.
Example 2
As shown in fig. 1-2, on the basis of embodiment 1, the present invention provides a technical solution: preferably, the IPSec VPN (tunnel mode) is divided into two phases according to a packet form, the IKE phase is mainly used for key negotiation of two parties of devices, the ESP phase is used for encrypting and communicating the data packet by using the negotiated key, the IKE phase does not affect the traffic data flow, the ESP phase is closely related to the IPSec overall throughput, the encryption and decryption rate of the cryptographic device and the forwarding performance of the network data packet directly affect the IPSec throughput, the cryptographic device is integrated into the network card device, the network card is a piece of computer hardware designed to allow the computer to communicate on the computer network, and because it has the MAC address, it belongs between layer 1 and layer 2 of the OSI model, it makes the user connect with each other through a cable or wireless, each network card has a unique 48-bit serial number called MAC address, it is written in a ROM on the card, every computer on the network must possess a unique MAC address, and utilizes the high-performance encryption and decryption algorithm of cipher chip to directly make encryption and decryption operation on the data packet, after the operation is completed, it is directly transferred from network card to target machine, only the IKE stage needs to implement intervention treatment of operation system, and other service data stream encryption and decryption is directly completed by network card, so that it can greatly raise transmission efficiency, when using IPSec tunnel mode, the IPSec can encrypt IP header and effective load, and the transmission mode can encrypt only IP effective load, and when using tunnel mode as AH or ES effective load, the tunnel mode can provide protection for whole IP data packet, when using tunnel mode, the whole IP data packet can be packaged by means of AH or ESP header and other IP header, the IP address of external IP header is tunnel end point, the IP addresses of the encapsulated IP header are the final source address and the destination address.
Example 3
As shown in fig. 1-2, on the basis of embodiment 1, the present invention provides a technical solution: preferably, the third step further comprises the following steps: the high-performance encryption and decryption algorithm of the password chip is utilized to directly encrypt and decrypt the data packet, the data packet is directly forwarded from the network card to the target machine after the operation is finished, redundant protocol stack processing of an operating system is omitted, and therefore the forwarding performance of IPSec can be greatly improved.
Example 4
As shown in fig. 1-2, on the basis of embodiment 1, the present invention provides a technical solution: preferably, the sixth step further comprises the following steps: the encryption and decryption and unpacking operation of the data packet can be realized only by passing through the encryption network card after the plaintext data packet is received, the plaintext can be bit stream in a communication system, such as text, bitmap, digitized voice or digitized video image, and the like, the plaintext can be generally considered as meaningful characters or bit sets simply, or a message which can be obtained through a certain public coding standard is acted through a certain encryption algorithm, the acted characters are called ciphertext, if the ciphertext is obtained, the ciphertext is decrypted through a decryption algorithm corresponding to the encryption algorithm, the plaintext is recovered, all the operations are realized only in the same hardware component, external data flow is not needed, the traditional IPSec data flow is repeatedly carried out in and out from a kernel protocol stack as shown in fig. 3, encryption and decryption communication is carried out with an external cipher card, the efficiency is low, the whole throughput performance of IPSec is restricted, in the method, the data flow is as shown in fig. 2, the plaintext data packet is only required to pass through the encryption network card after being received, the encryption, decryption and unpacking operation of the data packet can be realized, the whole operation is realized only in the same hardware component, no external data flow is required, the whole throughput performance is improved, and the whole throughput performance is improved greatly.
The foregoing invention has been generally described in great detail, but it will be apparent to those skilled in the art that modifications and improvements can be made thereto. Accordingly, it is intended to cover modifications or improvements within the spirit of the inventive concepts.
Claims (6)
1. A high performance IPSec VPN method, characterized by: the high-performance IPSec VPN method comprises the following steps:
step one, a business machine communicates with the opposite side to send packets, and triggers an IPSec VPN negotiation mechanism;
step two, an IKE module running in the operating system generates a negotiation data packet and carries out negotiation communication with the opposite IPSec VPN;
step three, generating a working key after the negotiation is completed and transmitting the working key to the encryption network card;
step four, the encryption network card encrypts the plaintext data sent by the service machine and sends out packets;
step five, decrypting and sending the encrypted data packet by using the working key after receiving the encrypted data packet by the opposite IPSec VPN;
and step six, completing one communication when the opposite service machine receives the plaintext service data packet.
2. The high performance IPSec VPN method according to claim 1, characterized in that: the IPSec VPN (tunnel mode) is divided into an IKE stage and an ESP stage according to the form of the data packet, wherein the IKE stage is mainly used for key negotiation of two devices, and the ESP stage is used for carrying out encrypted communication on the data packet by using the negotiated key.
3. The high performance IPSec VPN method according to claim 2, characterized in that: the IKE stage does not influence the traffic data flow, the ESP stage is closely related to the integral throughput rate of IPSec, the encryption and decryption rate of the password equipment and the forwarding performance of the network data packet directly influence the throughput rate of IPSec, the password equipment is integrated into the network card equipment, the data packet is directly encrypted and decrypted by utilizing a high-performance encryption and decryption algorithm of the password chip, and the data packet is directly forwarded from the network card to the target machine after the operation is completed.
4. The high performance IPSec VPN method according to claim 2, characterized in that: only the IKE stage needs to be interfered by an operating system, and other business data stream encryption and decryption are directly completed by the network card.
5. The high performance IPSec VPN method according to claim 1, characterized in that: the third step further comprises the following steps: and the high-performance encryption and decryption algorithm of the password chip is utilized to directly encrypt and decrypt the data packet, and the data packet is directly forwarded from the network card to the target machine after the operation is finished, so that redundant protocol stack processing of an operating system is omitted.
6. The high performance IPSec VPN method according to claim 1, characterized in that: the sixth step further comprises the following steps: after receiving the plaintext data packet, the encryption and decryption and unpacking of the data packet can be realized only by passing through the encryption network card, and all operations are realized only in the same hardware component without external data circulation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311146752.4A CN117201232A (en) | 2023-09-06 | 2023-09-06 | High-performance IPSec VPN method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311146752.4A CN117201232A (en) | 2023-09-06 | 2023-09-06 | High-performance IPSec VPN method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117201232A true CN117201232A (en) | 2023-12-08 |
Family
ID=88988112
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311146752.4A Pending CN117201232A (en) | 2023-09-06 | 2023-09-06 | High-performance IPSec VPN method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117201232A (en) |
-
2023
- 2023-09-06 CN CN202311146752.4A patent/CN117201232A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8775790B2 (en) | System and method for providing secure network communications | |
| US7028186B1 (en) | Key management methods for wireless LANs | |
| EP1334600B1 (en) | Securing voice over ip traffic | |
| US7386723B2 (en) | Method, apparatus and system for compressing IPSec-protected IP packets | |
| US20090182668A1 (en) | Method and apparatus to enable lawful intercept of encrypted traffic | |
| EP1953954B1 (en) | Encryption/decryption device for secure communications between a protected network and an unprotected network and associated methods | |
| CN110266725B (en) | Password security isolation module and mobile office security system | |
| EP1374533A2 (en) | Facilitating legal interception of ip connections | |
| CN113747434B (en) | Mobile communication safety communication method and device based on IPSec | |
| CN111698245A (en) | VxLAN security gateway and two-layer security network construction method based on state cryptographic algorithm | |
| CN108966217B (en) | Secret communication method, mobile terminal and secret gateway | |
| US7564976B2 (en) | System and method for performing security operations on network data | |
| JP5002830B2 (en) | COMMUNICATION MODULE, COMMUNICATION METHOD, COMMUNICATION PROGRAM, COMMUNICATION TERMINAL, AND COMMUNICATION CONTROL DEVICE | |
| CN116938642A (en) | High-performance edge security gateway implementation method | |
| CN113746861B (en) | Data transmission encryption and decryption method and encryption and decryption system based on national encryption technology | |
| CN117201232A (en) | High-performance IPSec VPN method | |
| JP3466204B2 (en) | Method and apparatus for enhanced CMEA using enhanced transformation | |
| JP2003244194A (en) | Data encrypting apparatus, encryption communication processing method, and data relaying apparatus | |
| AU2010245117A1 (en) | Method and apparatus for secure packet transmission | |
| Yeun et al. | Practical implementations for securing voip enabled mobile devices | |
| US7822017B2 (en) | Secure voice signaling gateway | |
| CN112333204B (en) | 5G network transmission security device based on TCP IP protocol disorder feature code | |
| EP4346255A1 (en) | Encrypted satellite communications | |
| CN117640235A (en) | Dual encryption method based on IPsec and quantum key and encryption gateway | |
| CN117062056A (en) | End-to-end encryption method and system for 5G network service data based on IPSEC technology |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |